"All the livor and drama that followed your research proves that the Linux Foundation failed to learn the lessons of Heartbleed," Tesio said in a post to the kernel mailing list.
He was referring to a 2014 vulnerability in OpenSSL, a cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encryption. The flaw would have allowed attackers to monitor all information that flows between a user and a Web service, and could even decrypt past traffic collected. The bug was discovered by three researchers from security firm Codenomicon and Neel Mehta, a security researcher at Google.
Tesio said what the students — Qiushi Wu and Aditya Pakki — and their instructor — Kangjie Lu — had done was a valuable discovery "for all of us".
Tesio said: "You are the kids laughing loud that 'the emperor has no clothes'. More precisely, that the emperor STILL has no clothes. Ten years later.
"The corporations behind the Linux kernel didn't take it well (you wasted their time and money! you outsmarted them! how dare [you]!), but the hypocrisy in your commits is not the one you revealed.
"Pretending that such kinds of attacks didn't succeed before, pretending that the problem is you, is way worse."
While the University trio have submitted a so-called open letter of apology to Kroah-Hartman and the kernel project, the institution will have to climb down a number of pegs and make a public mea culpa if it is to regain the rights to submit patches again.
Kroah-Hartman was not impressed by the "open letter", telling the trio that they would have to meet the terms of a letter sent jointly to the University by the Linux Foundation - which funds kernel development - and its Technical Advisory Board.
The operative part of the letter, which was leaked to the American website ZDNet, says: "Please provide to the public, in an expedited manner, all information necessary to identify all proposals of known-vulnerable code from any U of MN experiment.
"The information should include the name of each targeted software, the commit information, purported name of the proposer, email address, date/time, subject, and/or code, so that all software developers can quickly identify such proposals and potentially take remedial action for such experiments."
The submission of these rogue patches began in 2018 and will increase the load on kernel developers who would have to check every patch from this institution.
Linux creator Linus Torvalds told iTWire that while such a submission was not a huge deal, it was obviously a breach of trust.
Regarding the letter sent by the Foundation, Tesio said: "But any programmer with a grain of salt, knows that they are just trying to distract everybody from their own operational failures.
"They blame you and your University just to avoid to be held accountable. It's neither you nor your University that need to regain trust. It's not you that proved to not deserve it. Your crime is that of curiosity.
"How sad it is to see a project born 'just for fun', turned into this! But since I care more about cyber security than about OSS marketing, I thank you for what you did. I hope that more of such kind of hacks and experiments will happen in the future, both in the Linux kernel and in many other projects.
"All without ANYBODY [being] aware of them, because otherwise they would prevent such epic failures to be discovered and publicly exposed, again and again. What you did was not just ethical, but noble and brave."
